Is this way of identify user by api secure and good practice?
āUnsolvedāQuestion
Hi, can someone help me with security of this, if this approach is secure, just ok, or if introduces security problems and has better ways to do that. I'm using a custom UI completely customized in react and using the backend to communicate with Zitadel, this is how i'm identifying the user. I know that i need to make some session checks but i'm asking myself if its ok or have improved ways to do that:
public class UserIdentifierImpl(TcktContext context) : IUserIdentifier
{
public async Task<Guid> GetUserIdentifier(HttpRequest request)
{
request.Cookies.TryGetValue("BearerCookieName", out var tokenId);
request.Cookies.TryGetValue("SessionId", out var sessionId);
const string zitadelApi = "http://localhost:8080/";
const string machineToken = "thDiOc52HbaMHj8PmEIcWlv0YBqZC0eF4umUwaE6i5N4UQvuzV5B28WU0eH1O33YfLwqJm4";
using var http = new HttpClient();
http.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", machineToken);
http.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var createResp = await http.GetFromJsonAsync<theJson>($"{zitadelApi}/v2/sessions/{sessionId}?sessionToken={tokenId}");
if(createResp == null) throw new Exception("user not found");
var user = await context.Users.FirstOrDefaultAsync(x => x.ZitadelId == createResp.session.factors.user.id);
return user?.Id ?? throw new Exception("user not found");
}
}
public class UserIdentifierImpl(TcktContext context) : IUserIdentifier
{
public async Task<Guid> GetUserIdentifier(HttpRequest request)
{
request.Cookies.TryGetValue("BearerCookieName", out var tokenId);
request.Cookies.TryGetValue("SessionId", out var sessionId);
const string zitadelApi = "http://localhost:8080/";
const string machineToken = "thDiOc52HbaMHj8PmEIcWlv0YBqZC0eF4umUwaE6i5N4UQvuzV5B28WU0eH1O33YfLwqJm4";
using var http = new HttpClient();
http.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", machineToken);
http.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var createResp = await http.GetFromJsonAsync<theJson>($"{zitadelApi}/v2/sessions/{sessionId}?sessionToken={tokenId}");
if(createResp == null) throw new Exception("user not found");
var user = await context.Users.FirstOrDefaultAsync(x => x.ZitadelId == createResp.session.factors.user.id);
return user?.Id ?? throw new Exception("user not found");
}
}
